Update Havex.yar

b283d6df · mmorenog · 46bcc842 · b283d6df
Commit b283d6df authored Jan 18, 2016 by mmorenog
Show whitespace changes
Inline Side-by-side

Showing with 13 additions and 0 deletions

Havex.yar malware/Havex.yar +13 -0

No files found.
--- a/malware/Havex.yar
+++ b/malware/Havex.yar
@@ -69,4 +69,17 @@ rule Havex_Trojan_PHP_Server
    condition:
        all of them
 } 
+rule Havex_NetScan_Malware {
+meta:
+        description = "This rule will search for known indicators of a Havex Network Scan module infection. This module looks for hosts listening on known ICS-related ports to identify OPC or ICS systems and the file created when the scanning data is written."
+        author = "M4r14ch1"
+        date = "2015/12/21"
+        strings:
+                $s0 = "~tracedscn.yls" wide nocase //yls file created in temp directory
+                $s1 = { 2B E2 ?? }      //Measuresoft ScadaPro
+                $s2 = { 30 71 ?? }      //7-Technologies IGSS SCADA
+                $s3 = { 0A F1 2? }      //Rslinx
            
+        condition:
+                $s0 and ($s1 or $s2 or $s3)
+}